NordVPN, the popular and highly regarded Virtual Private Network has enhanced its already impressive security credentials by submitting itself to a full security audit of its apps.
The advanced application security audit was conducted by independent auditor, VerSprite, a global leader in operational risk management and cybersecurity consulting.
VerSprite carried out a penetration test using the PASTA method, and the results were good news for NordVPN
No critical vulnerabilities
The headline news to come out of this audit was that VerSprite found no critical vulnerabilities in any of the NordVPN apps they audited.
A number of lesser vulnerabilities were identified. One of these vulnerabilities was given a high severity score, and the rest were only considered to warrant a medium to low severity score.
According to Daniel Markuson of NordVPN, “these vulnerabilities were mitigated for each platform in scope.”
He added that NordVPN's commitment to running this audit and dealing with all the minor issues it unearthed illustrated their clear commitment to user security.
What is the PASTA method?
If you want to understand a little more what VerSprite have been doing and how they identified these vulnerabilities, it is worth understanding what the PASTA method is. It is not, as the name implies, anything to do with spaghetti at all.
PASTA stands for Process for Attack Simulation and Threat Analysis. Essentially this means that VerSprite has been testing the NordVPN system by simulating real-world attack scenarios and threats.
The PASTA method consists of a seven-stage process in which VerSprite simulates attacks and analyses threats to the NordVPN environment. The intention is to minimise risk and the associated impact on the business.
During this particular audit, VerSprite's team of analysts focused their efforts on breaching confidential user data, identifying high-impact vulnerabilities that could lead to IP leaks, and overall privilege escalation.
The results were extremely positive for NordVPN and those minor vulnerabilities that were detected were all swiftly patched.
NordVPN's audit record
There are still some VPNs on the market that require users to take them at their word when it comes to the security of their apps and the veracity of their no user logs claims.
But it is increasingly expected that a responsible VPN provider will go to the effort of getting independent auditors to prove that they are as good as their word.
NordVPN was one of the earliest proponents of this. It also conducted the industry's first audit of its no-logs policy.
This audit was performed by PricewaterhouseCoopers AG (Zurich, Switzerland), one of the big 4 auditing firms and one of the most dependable and capable auditors in the world.
Most people have heard of PWC and while VerSprite is a company less likely to ring a bell, it is actually one of the most respected operational risk management and security consulting firm.
It has worked with a number of other VPNs already and in choosing VerSprite, NordVPN has proved that it is not just going through the motions but is genuinely attempting to get the best possible security audit it can.
As is common with this type of audit, the full results of the audit are not being put into the open public domain.
NordVPN users however can take a look at the full results. To do this, all you need to do is head to the NordVPN User Control Panel where you will find the attestation letter that contains all the information you need.
Even before this audit, NordVPN offered one of the most secure and dependable VPN services around. Check out our NordVPN review to discover more.
But by hiring VerSprite to look through their apps, NordVPN has provide once again that it is a secure and reliable VPN provider that you can trust.